Pros

Successfully protected against real-world ransomware samples and cleaned up all traces of ransomware in testing.
Very easy to use.

Cons

Not free like some competing products.
In one test, it reported failure even though it succeeded.

Bottom Line

Check Point ZoneAlarm Anti-Ransomware is the most effective ransomware-specific security tool we've seen.
In testing, it showed complete success against all of our real-world samples.

22 Jun 2018Neil J. Rubenking

The best antivirus utilities use many different layers of protection, from the matching of malware signatures to heuristic analysis to behavior-based detection. Every now and then, though, some new attacker makes it through all the layers and plants something nasty on your PC. In most cases, an antivirus update wipes out the malware infestation within a few days, or even hours. That can be a hollow victory, however, if the attack involved ransomware. Sure, the malware itself is gone, but your files remain encrypted and inaccessible. Because of that potential for lasting damage, you'd be wise to install an additional layer of protection designed specifically for ransomware protection—something like Check Point ZoneAlarm Anti-Ransomware.

This utility's code base comes from a larger, enterprise-level protection system, Check Point's Enterprise Forensics. RansomFree also relies on code from a business-level security system. The code for Malwarebytes Anti-Ransomware Beta goes in the opposite direction, however. After the latest technology has kicked around in the consumer realm for a while, the company uses it to enhance Malwarebytes Anti-Ransom for Business.

Acronis, Bitdefender, Ransomfree, RansomStopper, and Malwarebytes Anti-Ransomware Beta are totally free. ZoneAlarm isn't free, but at $1.99 per month after a free 30-day trial (or $2.99 per month for three licenses), it's hardly expensive. You can save by paying $19.99 for a full year. As you'll see below, it also proved extremely effective in testing.

Techniques for Ransomware Protection

Malwarebytes, RansomStopper, RansomFree, and ZoneAlarm all work by watching active processes for behaviors suggesting ransomware activity. Webroot SecureAnywhere AntiVirus adds behavior-based ransomware detection on top of its other protective layers, and its journal-and-rollback management of activity should let it reverse any chicanery that a ransomware threat perpetrated before its discovery.

However, behavior-based detection is just one technique. There are a number of other ways for security products to implement ransomware protection. For example, Bitdefender Anti-Ransomware uses a "vaccination" technique that prevents infection by making ransomware from certain specific families think that the PC has already been encrypted.

The point of encrypting ransomware is not to disable your computer. You'll need that computer working to pay the ransom, after all. The most vulnerable files are your documents, images, and other personal files, so some products thwart ransomware by banning unauthorized modification of these files. Bitdefender Antivirus Plus, Trend Micro RansomBuster, and Panda Internet Security are among the products that use this type of protection. When there's an attempt at unauthorized access, you get a notification. If your new image-editing utility triggered the warning, you simply add it to the trusted list. But if the warning doesn't match anything you're doing, block it!

Panda Internet Security goes one step further, block even read-only access by unauthorized programs. In addition to keeping ransomware out, this level of protection can also serve to foil data-stealing Trojans.

Before a security solution can analyze a program's behavior for telltale signs of ransomware, that program might well encrypt a few files, or even a lot of files. Acronis Ransomware Protection includes behavior-based detection along with its central backup functionality, but it can also automatically restore any encrypted files from secure online backup. ZoneAlarm also aims to restore any files hit by ransomware, and it does an impressive job.

Getting Started With ZoneAlarm Anti-Ransomware

While the product is free for 30 days, you do have to create or log in to your Check Point account online, and you do have to provide credit card information. You can cancel with no charge right up to the 30-day deadline, but after that you'll start paying $1.99 per month.

Installation is quick and simple. Within minutes, you see the big, super-simple main window. All it says is that it's protecting your files from ransomware. There are no settings, no logs, nothing but that simple screen of information. You can minimize the program to its icon in the notification area and never think about it again…until ransomware attacks. You may notice some new files in your Documents folder and elsewhere; like Cybereason RansomFree and RansomStopper, ZoneAlarm creates "bait" files to help track ransomware behavior.

Real-World Ransomware Protection

How do you test a behavior-based ransomware protection tool? Truly, the only way to do it is to use live, real-world ransomware. Simulation tools can be useful, but any simulator that fully and truly emulated ransomware behavior would itself be ransomware. To check ZoneAlarm's protection, I used a half-dozen ransomware samples found in the wild. Naturally I perform this testing in an isolated virtual machine that gets wiped after each test.

Shortly after I launched the first sample, the main ZoneAlarm window appeared with a big warning that it had detected a ransomware attack. A toaster-style transitory popup also announced this discovery. My Check Point contacts pointed out that this popup isn't redundant—if you're enmeshed in a modern UI application you'll see the popup, not the main window.

After a short while, the app announced that it quarantined the ransomware. It warned that the attack changed some files, but offered to repair them. Naturally I chose the repair option. On the page that lists affected files, there's a big Not Ransomware link. In the rare event that ZoneAlarm accidentally identifies a valid program as ransomware, clicking this link is your chance to rescue the program from quarantine. I didn't see any false positives, so in each case I chose to repair the files and checked status of those files afterward. ZoneAlarm handles all of the samples just as simply as that.

This is a truly impressive showing. RansomFree detected my samples, but didn't clean up things like ransom notes. Malwarebytes let the ransomware encrypt a few files before managing to stop the process. Acronis totally missed one of my samples. And CryptoPrevent Premium missed most of my samples, despite overwhelming the desktop with a plethora of bait files. Only RansomStopper did better, blocking all the samples without requiring a cleanup phase afterward.

Simulated ransomware isn't entirely without value. A ransomware solution can demonstrate success by blocking the simulations. I just don't take failure to block simulated attacks as an actual failure. I tried to test ZoneAlarm using the RanSim ransomware simulator from KnowBe4. However, ZoneAlarm detected and eliminated the program's helper processes, leaving a score of zero successes and zero failures.

Additional Tests

Since my original review of this product, I've added more tests. I wondered if ZoneAlarm would still look good after facing these new tests. It did!

The Petya ransomware attack differs from all my other samples. Instead of encrypting files, it fakes a system crash and pretends to be running CHKDKS on reboot. In reality, it's encrypting your entire hard drive. You don't just lose files to Petya; you lose all access to your computer.

When I launched the Petya sample, ZoneAlarm caught it right away, as did RansomStopper and Acronis. I haven't tested every ransomware protection product against Petya, but CryptoDrop Anti-Ransomware, Malwarebytes, and RansomFree didn't handle the Petya attack.

I also discovered that some products can't block ransomware that only does its dirty deeds at boot time. To test this possibility, I set one of my samples to launch at boot and restarted the system. At first, I thought that ZoneAlarm had failed. The ransomware encrypted many files and changed the desktop background to its ransom note. But after a minute or two, ZoneAlarm popped up and went to work. When it finished, it had restored all the files and eliminated the ransom note. Whew!

The Best Ransomware Protection

Ransomware protection is still a new field, with new products turning up all the time. Among the ransomware-specific tools I've evaluated so far, ZoneAlarm Anti-Ransomware is a clear winner. It successfully handled all my real-life ransomware samples, and it fixed all changes made by the ransomware processes, including wiping out ransom notes that some other products leave behind. If ransomware is a big concern for you, the $1.99 per month price tag shouldn't be too much of a burden.

If you are not ready to spend the price of a cup of coffee for a month's protection, you can still get effective protection against ransomware. CyberSight RansomStopper doesn't cost a penny, and it did just as well in testing as ZoneAlarm did. You could even argue that it did better. Where ZoneAlarm repaired all affected files, RansomStopper never allowed encryption in the first place. These two are our Editors' Choice products for dedicated ransomware protection.

Check Point ZoneAlarm Anti-Ransomware

Bottom Line: Check Point ZoneAlarm Anti-Ransomware is one of the most effective ransomware-specific security tools we've seen. In testing, it showed complete success against all our real-world samples.

More Inside PCMag.com

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of ... See Full Bio